Authentication

--Originally published at Computer and Information Security

Each day, we log into many different webpages, they ask for authentication. We need to prove that we are us, but why is it so important? Also, how does it works? Authentication is needed to access to personal information, social media, at work, unlocking the phone, anywhere. It is almost a requisite to join every webpage to access to certain content. Regarding security, it is the way to block your information for the resto of the world. There are many different ways to prove that you are really you. Commonly, sites ask for a password, but they aren’t the only option. The next video uses interesting examples to explain the importance of authentication.

Knowledge factors: sometimes, the service that is asking for authentication can ask for names, specific questions, PIN numbers, or the password itself. Those are known as knowledge factors.
Possession factors: these are the ones that the user has in possession, such as ID cards, one-time password tokens, specific codes, or any artifact that can prove your authentication.
Inherence factors: this authentication factor covers the biometrics of the user, such as fingerprint scans, facial recognition, voice recognition, retina scans, iris scans, between others.

A modern way to authenticate the user is its location depending on the cellphone. This also has to do within its device activity and many other complex factors. Nowadays, it is recommended to use at least two factor authentications at the time per each account. For example, it is possible to activate an account with password and with a pin provided by the service company via cellphone.

There are may authentication tools in the market. It is important to be secure and also to protect your personal information. It can be annoying to unlock the accounts with more than 1-factor-authentication, but sometimes it is necessary Continue reading "Authentication" →

CIA triad

--Originally published at Computer and Information Security

Confidentiality, integrity and availability is also known as the CIA triad. CIA triad is a model that establishes some principles for information security, it can be seen as an organizer. These three principles are considered as the most importan principles for security. They aren’t the only ones, but they can be seen as the three pillars of security. The following video explains very well these three principles:

Confidentiality

Confidentiality can be defined as a series of rules that are responsible for preventing information from reaching the wrong hands. That is, confidentiality is in charge of the access. This access must be restricted for those that don’t have the authorization to see the information. One way to prevent a leakage is to create levels. Most of the time, information is categorized depending on the impact it would have if the specific information was stolen.

Integrity

Integrity is an important pillar to security, it is in charge of the accuracy, consistency and trustworthiness of the information all the time. It is crucial the security of the data. Information can’t be corrupted or edited by a third-party without the autorizaron. Also, while sending data, it must be delivered and received without any modification in between. Software can be involved in order to check the integrity of data that is traveling from one place to another.

Availability

Availability is mainly in charge of the hardware. If there are complications between services or any damage, there must be a resource in charge of fixing it. Also, it needs to be updated all the time and there has to be one that establishes de communication between the different services. There must be an adaptive recovery if it is necessary. It is important to have a way out of problems, even without a person in charge for it.

In Continue reading "CIA triad" →

Denial-of-service attacks

--Originally published at Computer and Information Security

Have you ever feel that a webpage is loading too slow compared to other times, a poor network performance while trying to retrieve s file from a cloud server, an increasing amount of time in order to reach an specific service from the internet? It’s obvious that there are many factors that can influence the weak performance from the network, but it is important to take into account that it could be a denial-of-service attack. It’s not that easy to spot the problem, but first, what is a denial-of-service attack?

We can define a a DoS attack as a planned attack to a server in order to disrupt an organization’s network to complicate the entry of their user to their services. The attack can limit the access to the network or even to deny the access. The main point is to prevent any online activity through the servers that are being attacked.

There is also a Distributed Denial-of-Service attack, where the attacker also infects the computers that get connected to the infected servers and now these new computers are used to infect more users. These new infected computers are known as zombies. Zombies are the computers that are controlled by the attacker. With the control of all of the computers, the attacker can use their power to overload the services, such as mail, internet, and network services.

Also, there are three specific categories in which the hackers focus their attacks:

Networks
Systems
Applications

Mainly, all of them create requests to overload the servers until there is no response or until they create an error on the system. One of the main goals is to consume as much bandwidth as possible in order to create slowdowns in networks. Hackers also focus on hardware, such as routers and devices that need network Continue reading "Denial-of-service attacks" →

Redes domésticas

--Originally published at Computer and Information Security

Es muy útil saber cómo modificar los ajustes de un módem. Cambiarle la contraseña a la red de la casa o incluso cambiarle el nombre puede llegar a ser muy sencillo y puede a llegar a incrementar un poco la seguridad de la red. Sin embargo, hay más opciones en los ajustes de un módem y éstas pueden llegar a ser implementadas de una manera muy sencilla. Una de las ventajas de acceder a los ajustes de éste es que puedes crear redes locales dentro de la casa o la oficia. La división de la red puede llegar a ser útil para conectar ciertos dispositivos a una de ellas y los otros a la otra, se puede crear una red para invitados, o incluso redes privadas para intentar mantener más segura cierta información que se comparte cuando alguien se encuentra en la misma red. A continuación, se mostrará un pequeño tutorial para crear una nueva red doméstica.

1 – Entrar a la página web del módem

Normalmente, para poder acceder a la configuración del router se tiene que ingresar a la dirección 192.168.X.X. En este caso para ingresar a la configuración del módem de Telmex, se ingresa a 192.168.1.254. El usuario puede variar (TELMEX en este caso) y la contraseña es la clave que viene en el modem.

2 – Ir a Red

Al entrar a la configuración del módem, una ventana parecida aparecerá en la pantalla. Hay que seleccionar la opción de “Red” que se encuentra en la columna izquierda.

3 – Inalámbrico (2.4GHz o 5GHz)

Una vez adentro de la opción de Red, se selecciona el tipo de red inalámbrica que se desea crear el la columna izquierda. En este caso, se seleccionará la red 5GHz.

4 – Seleccionar SSID

Continue reading →

Privacy? Yes, please

--Originally published at Computer and Information Security

With all the attention that Facebook ir receiving, what are you doing to protect your information? Not just your Facebook’s personal info, but also your internet traffic is somewhere in a server, without even your consent. Facebook isn’t just the only one that retrieves your traffic information, also Google and many other companies, even with a VPN. Nowadays, it is difficult to hide your information from these companies, but there is always a solution, or at least to protect a little more your information.

Personally, I do think that ads are necessary when the content is free because it’s work that it given for free. The problem is when the pages that are publishing those ads are also giving your personal info and internet traffic to a third-party company without even saying it to you and that’s the point that isn’t fair or correct. With all of the privacy movement, I just decide to look for an AdBlocker to my MacBook Pro. Not just to hide those invasive ads, but also to protect a little more my information. While making a little research through Reddit, I found a thread asking for some AdBlockers (link: https://www.reddit.com/r/apple/comments/7o7zw9/your_favorite_adblocker_for_safari_macos_with/). Thanks to the comments, I opted for AdGuard. My experience was incredible.

AdGuard isn’t my first ad blocker, but it was completely different from the others. Starting with its interface, it is really easy to use. It has interesting options, a menu appears when a page has ads and it gives you options for the page, such as: Block Element, Add Exception, or do not block the page for 30 seconds. For experience, some ad blockers doesn’t work with some pages becase devs are implementing a way to find out when you have an ad blocker, but the cases with AdGuard were

Screen Shot 2018-04-30 at 11.08.12 AM.png

Screen Shot 2018-04-30 at 12.04.19 PM.png

Screen Shot 2018-04-30 at 11.17.13 AM.png

Continue reading →

Microservices == Microhell

--Originally published at miguel.net

Microservices, a word that has been buzzing around a lot, every one is writting, speaking and developing under the microservices mindset, but it is never that simple, just splitting a service into small pieces and having them interacting over the wire can cause a great mess.

Not having a good planning on how the service will interact, can cause an auto DDoS, because all the services are too chattie and then overload the network, so essentially, you performed an DDoS attack just by trying to run your system, congratulations.

So, what to do?
Now that the naive solution (http) is discarted, how can you interact in a system where everything is logically separeted? Many solutions have evolved throught out the years, one of the best solutions, specially if you need one way communication, is using a queue service, where messages can be posted and they can be received from the other end of the queue to be proccessed.

RPCs (Remote Procedure Calls), this method of executing actions is sometimes slow, depending on the level of concistency been used, two-phase commit is very costly but is very effective.

During the 80's and 90's, a paper was show, called SAGAS, which described long running transaccions on databases, and how to utilize them to make long queries work efficently, now it had evolved into Distributed SAGAS, a pattern where each microservice is a task, and a sequence of tasks is transaccional, so when an update occurs, every service that needs to be updated will receive the info. Also I really like the idea of a "pipeline" for this kind of situations, for example, maybe a reservation site allows you to book a flight, pay your hotel and rent a car on the same website, at the same time, so then, based Continue reading →

Become the hackerman of your router

--Originally published at Paco's adventures

This post is for you to experiment with your router. Maybe you know, or don’t, but you can access your router and change stuff like the name of your network, the password and also the password to access the router. To enter the router you first need its IP address, which you can find in the properties of the network you are connected. After you enter that IP address in a web browser you will be in a log-in page and here is where the fun begins (It’s something like this):

If you check the manual of your router it will tell you that to access it you write something like “admin” or “root” as username and “password” or “admin” for the password, this is the default setting of the router, and you should/must not leave it like that, why? because if someone want to be a bad person, they can enter and modify the things I wrote at the beginning.

You can check the brand of your router in the internet and you will find a page that tells you the default username and password to access it, so it’s not difficult for someone (hacker) to find out and do bad things to your network.

But why am I telling you all of this? Well it’s because of a friend’s story: He went to a place where sell buffalo wings, he saw that the place had wi-fi and just for the heck of it he checked if their router was secure, and oh surprise, it wasn’t he could’ve done anything he wanted, but he is a really nice guy and told the owner the problem and even help him fixed it. Now, almost every place I go (restaurants, bars, shops, etc.) I try to enter their router so Continue reading "Become the hackerman of your router" →

Not even your car is safe!

--Originally published at Paco's adventures

Maybe you have noticed that the cars are getting more advanced in their technology, this is great, or is it? More technology doesn’t always mean better or more secure. Of course I’m talking about this from the perspective of informatics, right know most of the cars have bad, or not even have security against hackers. But, why is this an issue? How can this happen? and what are the big companies going to do? Well, let me tell ya!

First, How can someone hack a car? I’ll try to be as simple as possible with the explanation. A lot of the computers used in the cars control things like the brakes, air conditioner, stereo, lights, the gearbox, etc. Mostly all the cars use a bus network to connect each of the computers. Something like this:

In a network like this, you just need to access one of the computers to see what the other computers are doing, and usually there is not a lot of security inside the bus. It has been proved that a lot of ports in the computers are left open for no reason and the hackers can exploit them. Things like the bluetooth and the wi-fi inside the car doesn’t have security. Here is an example of cars hacked (Volkswagen and Audi):

https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking/

And if you look for yourself, there are more examples of other cars being hackable. All of this is an issue, a big one, because as I said before, they can control things like the breaks and the gearbox, the hackers can cause an accident making it seem like it was your fault and also it would untraceable, in my opinion the companies should slow down their car releases and start making sure their cars aren’t easily hackable, thankfully they are Continue reading "Not even your car is safe!" →

Azure Sphere

--Originally published at miguel.net

Great news came last month, Microsoft launches it's first non-NT based OS, it is an Linux based OS for MCUs (microcontrollers), the great thing here, they claim to have a solution for the security problem on IoT, they claim to have the most secure OS for MCUs, we all remember that dark day when the "full" internet was down, because a botnet took down one of the main DNS service providers in the USA, it was a hard punch to the IoT movement but also was an oportunity to really make a deep dive into the security issues of IoT.

What they claim
Microsoft published a great post providing a great overview on the product, but lets just review it.

The certified MCUs are, as they state, secure from the silicon, that means that security is the first thougth when building one of this MCUs, but how efficient and cost-value effective are them? well, we don't know, the first one is about to lauch but no price has been said.

Azure Sphere OS: it is a OS that is built for security and agility, thats what they have said, but I haven't found any security test results on the web.

Azure Sphere Security Services: this are cloud services built to provide an upper layer of security to the MCUs and also a layer to push updates of the firmware and user software that will run on the MCU.

My concerns
Well, we know that they love to charge for everything, and also if the services are bound to Azure, then maybe that could be a barrier that is hard to tackle, because not everyone likes Azure, every one have their issues with any cloud provider.

My conclusions
I really like to see this kind of things, companies making new technology Continue reading →

Never hard code Connection strings

--Originally published at miguel.net

A common practice during development is to just hard code every connection string that is been used on the project, but why is this a bad, and I mean a really bad practice?

Let's see what outputs the C# compiler for hard-coded strings:

As we can see, the line marked as IL_0001 is where the sintrg is been loaded to a variable, it is just written there, with out any consideration, imagine if someone gets access to your binaries, then they can just decompile them and read any sensitive string that was just hard-coded inside the program.

How to store them.

Many aproches can be used, maybe using encrypted files to store those keys, but also that can be cracked, or maybe using environment variables that store the encrypted strings, but again, it can be cracked. So, we cannot trust anybody, we need to be completly away from any kind of machine to be completly safe, but we can trust one institution, and when running on a cloud platform this is important, all cloud providers have their safe way to store this things Azure has Key Vault, Amazon has Systems Manager Parameter Store and Google has

ObjectAccessControls, all of them have their own capabilities and ways to charge you for those services.

Now, you maybe asking, why would I trust any of this companies to save my important stuff? You don´t have to, but they are certified by some external authorities, so at least you have a way to berify their security.

Additionaly you must be carefull when pushing a commit to an open repository, it is way to easy to find connection strings on Github, I personally use an extension on my IDE that can be configured to produce compiler errors if a connection string is hard-coded, Continue reading →